CN101534289A - Method, node device and system for traversing firewall - Google Patents
Method, node device and system for traversing firewall Download PDFInfo
- Publication number
- CN101534289A CN101534289A CN200810085044A CN200810085044A CN101534289A CN 101534289 A CN101534289 A CN 101534289A CN 200810085044 A CN200810085044 A CN 200810085044A CN 200810085044 A CN200810085044 A CN 200810085044A CN 101534289 A CN101534289 A CN 101534289A
- Authority
- CN
- China
- Prior art keywords
- firewall
- information
- compartment wall
- fire compartment
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method, a node device and a system for traversing firewall, belonging to the field of communication. The method includes the steps as follows: after receiving inquiring information, a node with a firewall records the firewall information of the node in the inquiring information and retransmits the inquiring information to the downstream; after receiving the inquiring information transmitted from the upstream, a target node confirms if the firewall exists on the path according to the firewall information in the inquiring information and returns integral information of the firewall on the path to an initiating node of the inquiring information; and the target node or the initiating node initiates firewall traversal when the firewall exists on the path. The node device comprises a transmitting module, a receiving module and a processing module. The system comprises the initiator node, the intermediate node and the target node. The invention can seamlessly combine with the existing NSIS-based firewall traversal mechanism, thereby avoiding extra signaling spent by using the firewall discovery mechanism which is not based on NSIS and further reducing the network delay.
Description
Technical field
The present invention relates to the communications field, particularly a kind of Firewall Traversing method, node device and system.
Background technology
Along with developing rapidly of network technology and Wireless Telecom Equipment, the urgent hope of people can be obtained information from Internet whenever and wherever possible.At this situation, prior art provides the agreement of supporting mobile Internet, i.e. mobile IP protocol.Mobile IP protocol is a kind of network layer scheme that locomotive function is provided on Internet, makes node not interrupt ongoing communication when handoff links.In simple terms, mobile IP provides a kind of mobile node (MN that makes in network layer, Mobile Node) can be connected to routing mechanism on any link with a permanent IP address, purpose be route a data packet to those may be always on the mobile node that changes the position apace.
In order to support the mobility of mobile node better, prior art provides a kind of mobile IP v 6 mechanism, and referring to Fig. 1, as MN during at home network, its working method is as the main frame of fixed-site, and mobile IP does not need to carry out any special operation.When MN left home network and enters field network, its operation principle was as follows:
(1) MN by routine the IPv6 stateless or the automatic configuration mechanism of state is arranged, obtain Care-of Address (CoA, Care-of-Address);
(2) after MN obtains CoA, apply for the registration of to home agent (HA, Home Agent), promptly send a Binding Update (BU who is used to report CoA to HA by MN, Binding Update) message is for home address (HoA, Home Address) and the CoA of MN sets up binding on HA;
Like this, after MN moved, opposite end communication node (CN, Correspondent Node) sent to the packet of MN, will be forwarded on the new Care-of Address of MN by HA, and this routing mode is called the bidirectional tunnel mode.
Owing to when carrying out data passes, can bring extra tunnel overhead and triangle routing issue,, in MIPv6, propose Route Opitimazation (routing optimality) mode and carried out data passes therefore in order to save resource in the bidirectional tunnel mode.Transfer mode is as follows:
(1) finishes return path between MN and the CN and can reach process (RRP, Return Routability Procedure), main process is that MN sends HoTI message with its HoA to CN, and send CoTI message to CN with its CoA, CN returns HoT message to the HoA of MN respectively, returns CoT message to the CoA of MN.The purpose of RRP is that to confirm that the MN that carries out follow-up BU/BA (Binding Acknowledge, binding acknowledgement) process with CN has its [HoA, CoA] address of claiming really right, and carries out cipher key interaction.
(2) MN sends binding update messages (BU) to CN and sets up binding, and CN returns binding acknowledgement message (BA) to MN, and this process uses in the step mutual key to protect.
The source address of grouped data is set is the current C oA of mobile node to MN like this, is the HoA of MN in the home address option, just can directly send grouped data to CN, and need not the HA transfer.This mode is called routing optimization manner.
At present a large amount of fire compartment walls is to dispose under the IPv4 network accounts for the situation of main flow, therefore, fire compartment wall is limited for the message processing capability of IPv6, signaling as for mobile IP v 6 then can't be discerned especially, for example: MN moves to after the field network, the mobile IP message that sends to HA by the tunnel etc. needs again through ESP (Encapsulatiing Security Payload, ESP) encapsulation, and the fire compartment wall in the existing network can abandon the bag of ESP encapsulation, thereby causes the message of mobile IP to arrive.For this reason, need before sending normal packet, utilize signaling that fire compartment wall is passed through, the filtering rule of fire compartment wall be made legal modifications, thereby reach the purpose of Firewall Traversing.
NSIS (Next Steps In Signaling, signaling of future generation) working group has proposed a kind of Firewall Traversing method.The NSIS basic thought is that signaling transmission and signaling application are separated, referring to Fig. 2, the NSIS protocol architecture is divided into signaling protocol two-layer: NSLP (NSIS Signaling Layer Protocol, NSIS signaling application layer protocol) layer and NTLP (NSIS Transport LayerProtocol, NSIS signaling transport layer protocol) layer.Firewall Traversing will be implemented among the NSLP.
Wherein, the main task of NTLP layer is that signaling message is transferred to the NSIS side of response NR (NSIS Responder) from NSIS initiator NI (NSIS Initiator), if terminal system itself is not supported NSIS, can realize by agency (proxy).Its specific implementation agreement is GIST (General Internet Signaling Transport Protocol, a universal information layer) agreement.
GIST is a kind of soft state agreement, and promptly the state of a control in the network node must be brought in constant renewal in, otherwise with overtime invalid.GIST runs on the transmission and control protocol of standard, for example: UDP (User Datagram Protocol, UDP), TCP (Transmission Control Protocol, transmission control protocol), SCTP (Stream Control TransmissionProtocol, SCTP) or DCCP (Datagram Congestion Control Protocol, packet congestion control protocol).
The basic messae type of GIST comprises:
The message GIST-Query relevant, GIST-Response, GIST-Confirm message with three-way handshake;
The GIST-Data message of transmission NSLP data;
The GIST-Error/GIST-MA-Hello message that is used for mistake indication and maintenance message relating.
The NSLP layer is used to carry out specific signaling application function, comprises the form and the processing rule that exchange messages between the NSLP peer-entities, and a NSLP can only use corresponding to a specific signaling, and the NSLP signaling message transmits by NTLP.Firewall Traversing is finished by NAT/FW NSLP, mainly is by sending means of signaling, coming NAT (NetworkAddress Translators, the network address translater)/FW (FireWall, fire compartment wall) on the configuration path.When signaling was supported the node of NSIS in through the path, the NAT/FW NSLP of this node reacted to signaling, revises firewall policy or configuration NAT by creating firewall rule (for example: the pinhole of FW and the binding of NAT).
The type of message of NAT/FW NSLP comprises:
CREAT: be mainly used in the data flow NAT/FW that initiates that makes a start and pass through, the intermediate node on the path enters after receiving this message waits for the RESPONSE message status;
EXTERNAL message is used for the private network internal node by the reservation mode passing through NAT more.By global network when private network sends data, originator node can't be learnt private network address, therefore at first sends EXTERNAL message to edge router and reserves public network address;
RESPONSE: be used to report the success or the failure of an operation, some perhaps relevant information with session or node; When receiving the successful RESPONSE message of expression, the corresponding strategies of configuring firewalls on this node then;
The asynchronous message that the NOTIFY:NAT/FW node uses is used for to up NAT/FW node, the alarm particular event
Referring to Fig. 3, in the prior art based on the Firewall Traversing signaling process figure of NSIS, concrete signaling process is as follows:
1) NI (NSIS Initiator, NSIS signaling initiator) the CREAT signaling message of initiation NSLP layer, when arriving the NTLP layer, carry out the three-way handshake of NTLP layer by GIST-query, GIST-response, GIST-confirm message and NF (NSIS Forward, the NSIS signaling is transmitted) node earlier;
2) the NTLP layer is packaged into the GIST-data-CREAT form with CREAT message and sends to next NF node, and this node will pass through access vector cache in this locality;
3) like this hop-by-hop set up signaling status, after NR (NSIS Responder, NSIS signaling response side) successfully receives GIST-data-CREAT message, can send a RESPONSE message, this RESPONSE message is packaged into the GIST-data-RESPONSE form;
4) the NF node on the path can dispose the firewall policy of this node according to the strategy of buffer memory after receiving GIST-data-RESPONSE message, thereby realizes passing through flow process.
The prerequisite of passing through NAT/FW is to find NAT/FW, at NAT, and the problem that has had STUN (Simple Traversal ofUDPThrough Network Address Translators, UDP simple traversal NAT) protocol processes NAT to find.But at fire compartment wall, defined the signaling process of passing fire wall in the NSIS mechanism, but how to have judged whether there is fire compartment wall on the path, and found there is which fire compartment wall on the path, to determine the object of Signalling exchange, the Shang Weiyou definition.
Fire compartment wall discover method a kind of and that NSIS is irrelevant is arranged in the prior art, and this method is as follows:
1) MN with the bag of the bag of ESP encapsulation and a UDP encapsulation as detection packet, this detection packet is sent to HA (being called FD message), if there is fire compartment wall on the path, then the bag of ESP encapsulation can get clogged, the bag of UDP encapsulation then can pass through, if there is not fire compartment wall on the path, then two detection newspapers all can pass through;
2) HA replys IP bag (being called FDr message) to what the detection packet that receives was returned a corresponding encapsulation.That is, when the detection packet of receiving is the bag of ESP encapsulation, carry out the ESP encapsulation to replying the IP bag; When the detection packet of receiving is the bag of UDP encapsulation, carry out the UDP encapsulation to replying the IP bag;
3) MN judges whether have fire compartment wall on the path according to the encapsulated type of replying the IP bag that HA returned, when if this replys the IP bag for the ESP encapsulation format, then do not have fire compartment wall on the path between MN and HA, wrap when being the UDP encapsulation format, then on the path between MN and HA fire compartment wall is arranged if this replys IP.
In realizing process of the present invention, the inventor finds that there is following problem at least in existing fire compartment wall discover method:
1) utilizes new signaling to do fire compartment wall and found, brought extra signaling consumption, can increase the time delay of network.The NSIS agreement is come the strategy of configuring firewalls by signaling, and existing comparatively complicated flow process itself if utilize the scheme of this technology, has then increased new signaling process;
2) fire compartment wall (as status firewall) for some type is invalid, has the limitation of practical application;
3) this scheme can find that the prerequisite of fire compartment wall is that the firewall policy that disposes allows the bag of UDP encapsulation to pass through, and can bring safety problem like this.
Summary of the invention
The present invention finds fire compartment wall by expansion NSIS and fire compartment wall is passed through, Firewall Traversing method, node device and system are provided, realize simply, saved the expense of Firewall Traversing and reduced network delay, can reduce the complexity of existing Firewall Traversing signaling.
Described technical scheme is as follows:
A kind of Firewall Traversing method, described method comprises:
After the node that has a fire compartment wall is received query messages, the firewall information of this node is recorded in the described query messages, downstream is transmitted described query messages;
After destination node is received the query messages of updrift side transmission, confirm whether there is fire compartment wall on the path according to the firewall information in the described query messages;
Described destination node is according to the Global Information of the fire compartment wall of result on the initiation node return path of described query messages of confirming;
When having fire compartment wall on the path, described destination node or described initiation node are initiated Firewall Traversing.
A kind of node device, described equipment comprises:
Sending module is used for downstream and sends query messages, and described query messages carries the firewall information object;
Receiver module is used to receive the fire compartment wall Global Information on the path that destination node returns, and the Global Information of described fire compartment wall comprises the firewall information in the described query messages and initiates the entity information of fire compartment wall;
Processing module, the entity information that is used for the initiation fire compartment wall that receives according to described receiver module judges whether that needs carry out Firewall Traversing, if initiate Firewall Traversing according to described firewall information.
A kind of node device, described equipment has fire compartment wall, and described equipment comprises:
Receiver module is used to receive query messages;
The information logging modle is used for the firewall information of this node is recorded in the query messages that described receiver module receives;
Sending module is used to send the query messages after described information logging modle writes down firewall information.
A kind of node device, described equipment comprises:
Receiver module receives the query messages that upstream node sends;
Fire compartment wall is found module, and the firewall information that is used for the query messages that receives according to described receiver module judges whether there is fire compartment wall on the path;
Processing module, be used for finding the Global Information of the fire compartment wall of judged result on the initiation node return path of described query messages of module according to described fire compartment wall, the Global Information of described fire compartment wall comprises the firewall information in the described query messages and initiates the entity information of fire compartment wall, when having fire compartment wall on the path, and when the entity of Firewall Traversing is self, initiate Firewall Traversing.
A kind of system, described system comprises:
Initiate node, be used for downstream and send query messages;
Intermediate node is used to receive from party upstream query messages always, when this node has fire compartment wall, the firewall information of this node is recorded in the described query messages, and sends described query messages;
Destination node, be used to receive from party upstream query messages always, judge whether there is fire compartment wall on the path according to the firewall information in the described query messages, the Global Information of the fire compartment wall on described initiation node return path, the Global Information of described fire compartment wall comprises the firewall information in the described query messages and initiates the entity information of fire compartment wall, when having fire compartment wall on the path, initiate Firewall Traversing.
A kind of system, described system comprises:
Initiate node, be used for downstream and send query messages; And the Global Information that receives the fire compartment wall on the path of returning from downstream direction, the Global Information of described fire compartment wall comprises firewall information and initiates the entity information of fire compartment wall, judge whether that according to the entity information of initiating fire compartment wall needs carry out Firewall Traversing, if initiate Firewall Traversing according to described firewall information;
Intermediate node is used to receive from party upstream query messages always, when this node has fire compartment wall, the firewall information of this node is recorded in the described query messages, and sends described query messages;
Destination node is used to receive from party upstream query messages always, judges whether there is fire compartment wall on the path according to the firewall information in the described query messages, the Global Information of the fire compartment wall on described initiation node return path.
Present embodiment is by carrying firewall information in query messages, can find the fire compartment wall on the path, and carry out Firewall Traversing, can with existing Firewall Traversing mechanism seamless combination based on NSIS, the extra signaling consumption of having avoided using other not increased based on the fire compartment wall discovery mechanism of NSIS, and then saved expense, reduced network delay.
Description of drawings
Fig. 1 is the networking structure schematic diagram of the mobile IP v 6 that provides of prior art;
Fig. 2 is the NSIS protocol architecture schematic diagram that provides in the prior art;
Fig. 3 is based on the Firewall Traversing signaling process figure of NSIS in the prior art;
Fig. 4 is the Firewall Traversing method flow diagram that the embodiment of the invention provides;
Fig. 5 is the form schematic diagram of the firewall information object that provides of the embodiment of the invention;
Fig. 6 is the Firewall Traversing signaling process figure that the embodiment of the invention 1 provides;
Fig. 7 is the Firewall Traversing signaling process figure that the embodiment of the invention 2 provides;
Fig. 8 is the Firewall Traversing signaling process figure that the embodiment of the invention 3 provides;
Fig. 9 is the node device schematic diagram that the embodiment of the invention 4 provides;
Figure 10 is the node device schematic diagram that the embodiment of the invention 5 provides;
Figure 11 is the node device schematic diagram that the embodiment of the invention 6 provides;
Figure 12 is the system schematic that the embodiment of the invention 7 provides;
Figure 13 is the system schematic that the embodiment of the invention 8 provides.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, embodiment of the present invention is described further in detail below in conjunction with accompanying drawing.
The embodiment of the invention is found fire compartment wall based on NSIS, and fire compartment wall is passed through, and specifically comprises:
After the node that has a fire compartment wall is received query messages, the firewall information of this node is recorded in the query messages, downstream is transmitted this query messages;
After destination node is received the query messages of updrift side transmission, confirm whether there is fire compartment wall on the path according to the firewall information in the query messages;
Global Information according to the fire compartment wall of result on the initiation node return path of query messages of confirming;
When having fire compartment wall on the path, destination node or initiation node are initiated Firewall Traversing.
The embodiment of the invention is primarily aimed at the Firewall Traversing in the mobile IP v 6, when utilizing the NSIS passing fire wall, at first send the Query message of NTLP layer, simultaneously by expansion Query message, make Query message have fire compartment wall and find request, when Query message when having the NTLP node of fire compartment wall, the NTLP state machine of this node adds firewall information in the Query message to, the NTLP state is set up (firewall information on the path all is added in the Query message) fully on the path after, according to the firewall information on the path of writing down in the Query message, to the firewall information of initiating on the node return path, and judge and whether have fire compartment wall on the path, if there is not fire compartment wall, the NSIS signaling stops, if there is fire compartment wall, then according to the characteristic of fire compartment wall on the path, announcement upper strata NAT/FW NSLP initiates forward or reverse Firewall Traversing, and this moment, the NTLP of lower floor state needn't repeat to set up.
After moving with MN, need pass through and HA between fire compartment wall be example, referring to Fig. 4, the method includes the steps of:
After step 101:MN moves to a new field network, obtain the CoA address, MN reports to NSIS module on this node with this moving event, and the NSIS module sends the Query message after the expansion, and the connection of setting up the NTLP layer is used for the discovery of fire compartment wall and passes through.
Step 102: this Query message is when the intermediate node (supporting the NSIS signaling) that arrives on the way, after authentication through NTLP layer message, present node is configured to a firewall information object (FW Information Object) with firewall information and appends in the continuation forwarding of Query message back, wherein, the firewall information object is used for the identification information that there is firewall node in record path.
Referring to Fig. 5, contain following field in the firewall information object:
1) the individual digital section (Number) of NAT/FW receives that the node of Query message will add 1 to the numerical value of this field, in order to indicate the NAT/FW number on the path;
2) reserved field (Reserved);
3) address field (Address) receives that the node of Query message will be added on this field to the address information of its fire compartment wall.
4) cookie information field: be NAT/FW NSLP signaling authentication information field;
5) fire compartment wall type: describe the basic operating mechanism of fire compartment wall, for example packet filter firewall, status firewall, Application Agent fire compartment wall;
6) fire compartment wall direction is used to represent that the Query informed source is inside or the outside at fire compartment wall, can obtain which entity by firewall protection by this field;
Step 103:HA extracts the firewall information object that carries from the Query message of receiving, and storage firewall information object;
Step 104:HA (receives GIST-Confirm) after the three-way handshake of NTLP signaling is finished, according to the firewall information object of storage, judge whether there is fire compartment wall on the path, if there is not fire compartment wall, and execution in step 105; Otherwise execution in step 106.
Step 105: return Firewall Detection Notification (fire compartment wall detection notice) message to MN, this message is carried the Global Information of the fire compartment wall on the path, do not have fire compartment wall on the notice MN path in the Global Information of this fire compartment wall, do not need to pass through.
Step 106: send Firewall Detection Notification message to MN, inform the Global Information of the fire compartment wall on the MN path, the Global Information of this fire compartment wall comprises the firewall information object that carries in the Query message and initiates Firewall Traversing information by which entity (HA or MN).Comprise following field in the Firewall Detection Notification message in the present embodiment:
Command code (ActionCode), this value inform whether initiate the Firewall Traversing process, and are initiated to pass through by that entity;
Firewall information object (FW Information Object), this field contains the information of fire compartment wall on the path, is used to help Firewall Traversing;
HA initiates Firewall Traversing if desired, changes step 107; MN initiates Firewall Traversing if desired, changes step 108;
Step 107:HA initiates reverse Firewall Traversing NSLP signaling.
Step 108:MN initiates the Firewall Traversing NSLP signaling of forward.
Wherein, the Firewall Traversing process in step 107 and the step 108 is similar with the process of the Firewall Traversing signaling of the NSIS among prior art Fig. 3, no longer describes in detail here.
Present embodiment has been introduced the discover method of fire compartment wall by expansion NTLP agreement, this method is based on the NSIS agreement, do not introduce new fire compartment wall discovery mechanism, can with existing Firewall Traversing mechanism seamless combination based on NSIS, avoided using other extra signaling consumption that is not increased based on the fire compartment wall discovery mechanism of NSIS, imbody is referring to following embodiment 1, embodiment 2 and embodiment 3.
Embodiment 1
After MN moves, need pass through and HA between fire compartment wall, wherein HA is by firewall protection.
In the present embodiment, MN is exactly signaling initiator NI, and HA is exactly signaling recipient NR.Referring to Fig. 6, this flow chart is the process that forward is found reverse passing fire wall, and concrete signaling process is as follows:
When 1) signaling initiator NI need initiate the Firewall Traversing signaling, at first send the GIST-query message that has the firewall information object of NTLP layer expansion, the mode hop-by-hop by three-way handshake on signaling paths, set up the NTLP signaling status;
2) exist the node NF of fire compartment wall to receive GIST-query message on the path after, this address of node is recorded in the firewall information object;
3) after signaling recipient NR receives GIST-Query message, be checked through and have FW Information Object, and need initiate the Firewall Traversing flow process by NR, then after the three-way handshake of GIST is finished, send Firewall DetectionNotification and be notified to NI, inform on the NI path and have fire compartment wall, and oppositely initiate the GIST-data-CREAT message of upper strata NSLP by NR, transmit the NSLP signaling by the NTLP state of having set up, to reach the purpose of firewall policy on the configuration path.
Embodiment 2
Referring to Fig. 7, the signaling process figure of the Firewall Traversing that provides for the embodiment of the invention, in the present embodiment, MN is exactly signaling initiator NI, and HA is exactly signaling recipient NR.This flow chart is the process that forward is found the forward passing fire wall, and concrete signaling process is as follows:
When 1) signaling initiator NI need initiate the Firewall Traversing signaling, at first send the GIST-query message that has the firewall information object of NTLP layer expansion, the mode hop-by-hop by three-way handshake on signaling paths, set up the NTLP signaling status;
2) exist the node NF of fire compartment wall to receive GIST-query message on the path after, this address of node is recorded in the firewall information object;
3) after signaling recipient NR receives GIST-Query message, be checked through and have FW Information Object, and need initiate the Firewall Traversing flow process by NI, then after the three-way handshake of GIST is finished, send Firewall Detection Notification and be notified to NI, inform the information that has fire compartment wall and fire compartment wall on the NI path, and initiate the GIST-data-CREAT message of upper strata NSLP by the NI forward, transmit the NSLP signaling by the NTLP state of having set up, to reach the purpose of firewall policy on the configuration path.
Embodiment 3
Referring to Fig. 8, sending the BU process with MN to HA is example, does not wherein have fire compartment wall between MN and the HA, but MN and do not know whether fire compartment wall exists.Similar substantially with the process of front, difference is that HA informs MN in the ActionCode of Firewall DetectionNotification message, does not have fire compartment wall on the path, does not need to carry out Firewall Traversing.
After signaling initiator MN receives the Firewall Detection Notification message of HA transmission, check FirewallDetection Notification message, if there is not fire compartment wall on the path, the NSIS fire compartment wall is found and is passed through the signaling manipulation termination.
Present embodiment is after the NTLP layer carries out the fire compartment wall discovery procedure, if do not have fire compartment wall on the communication path, then the NSIS signaling process stops, and has avoided having now the signaling waste based on the Firewall Traversing mechanism of NSIS, and then has saved expense, has reduced network delay.
Embodiment 4
Referring to Fig. 9, present embodiment provides a kind of node device, and as initiating node, this equipment comprises:
Sending module is used for downstream and sends query messages, and this query messages carries the firewall information object;
Receiver module is used to receive the fire compartment wall Global Information on the path that destination node returns, and the Global Information of described fire compartment wall comprises the firewall information in the query messages and initiates the entity information of fire compartment wall;
Processing module, the entity information that is used for the initiation fire compartment wall that receives according to described receiver module judges whether that needs carry out Firewall Traversing, if initiate Firewall Traversing according to firewall information.
Present embodiment is by sending query messages, the node that fire compartment wall is arranged on the path is recorded in firewall information in the query messages, and then notify firewall information on other node device path, this equipment is based on the NSIS agreement, do not introduce new fire compartment wall discovery mechanism, can with existing Firewall Traversing mechanism seamless combination based on NSIS, avoided using other extra signaling consumption that is not increased based on the fire compartment wall discovery mechanism of NSIS, reduced the complexity and the network delay of signaling.
Embodiment 5
Referring to Figure 10, present embodiment provides a kind of node device, and equipment has fire compartment wall, specifically comprises:
Receiver module is used to receive query messages;
The information logging modle is used for the firewall information of this node is recorded in the query messages that receiver module receives;
Sending module is used to send the query messages after institute's information logging modle writes down firewall information.
Further, the query messages that receiver module receives is the Query message in the signaling transport layer protocol of next jumping signaling, carry the firewall information object, correspondingly, the information logging modle specifically is used for the firewall information of this node is recorded in the firewall information object that Query message is carried.
Present embodiment is by writing down firewall information in query messages, can notify on other node device path whether have fire compartment wall, make other node when fire compartment wall is arranged, carry out Firewall Traversing, reduce the complexity of signaling, and then saved expense, reduced network delay.
Embodiment 6
Referring to Figure 11, the embodiment of the invention provides a kind of node device, is destination node equipment, and this equipment comprises:
Receiver module receives the query messages that upstream node sends;
Fire compartment wall is found module, and the firewall information that is used for the query messages that receives according to receiver module judges whether there is fire compartment wall on the path;
Processing module, be used for finding the Global Information of the fire compartment wall of judged result on the initiation node return path of query messages of module according to fire compartment wall, wherein, the Global Information of fire compartment wall comprises the firewall information in the described query messages and initiates the entity information of fire compartment wall, when having fire compartment wall on the path, and when the entity of Firewall Traversing is self, initiate Firewall Traversing.
Present embodiment returns firewall information according to the result who judges to initiating node by checking query messages judges whether there is fire compartment wall on the path, or when fire compartment wall is arranged, initiate Firewall Traversing, reduce the complexity of signaling, and then saved expense, reduced network delay.
Embodiment 7
Referring to Figure 12, present embodiment provides a kind of system, and this system is used for forward and finds fire compartment wall direction passing fire wall based on NSIS, specifically comprises:
Initiate node, be used for downstream and send query messages;
Intermediate node is used to receive from party upstream query messages always, when this node has fire compartment wall, the firewall information of this node is recorded in the query messages, and sends query messages;
Destination node, be used to receive from party upstream query messages always, judge whether there is fire compartment wall on the path according to the firewall information in the query messages, to the Global Information of initiating the fire compartment wall on the node return path, wherein, the Global Information of fire compartment wall comprises the firewall information and the entity information of initiating fire compartment wall in the described query messages; When having fire compartment wall on the path, initiate Firewall Traversing.
Present embodiment has been introduced the discovery mechanism of fire compartment wall by expansion NTLP agreement, this system is based on the NSIS agreement, do not introduce new fire compartment wall discovery mechanism, can with existing Firewall Traversing mechanism seamless combination, the extra signaling consumption of having avoided using other not increased based on the fire compartment wall discovery mechanism of NSIS based on NSIS.
Embodiment 8
Referring to Figure 13, present embodiment provides a kind of system, and this system is used for forward and finds fire compartment wall direction passing fire wall based on NSIS, specifically comprises:
Initiate node, be used for downstream and send query messages; And the Global Information that receives the fire compartment wall on the path of returning from downstream direction, wherein, the Global Information of fire compartment wall comprises firewall information and initiates the entity information of fire compartment wall, judge whether that according to the entity information of initiating fire compartment wall needs carry out Firewall Traversing, if initiate Firewall Traversing according to firewall information;
Intermediate node is used to receive from party upstream query messages always, when this node has fire compartment wall, the firewall information of this node is recorded in the query messages, and sends query messages;
Destination node, be used to receive from party upstream query messages always, judge whether there is fire compartment wall on the path according to the firewall information in the query messages, to the firewall information of initiating on the node return path, firewall information comprises the fire compartment wall position on the path and initiates the entity information of fire compartment wall.
Present embodiment returns firewall information according to the result who judges to initiating node by checking query messages judges whether there is fire compartment wall on the path, or when fire compartment wall is arranged, initiate Firewall Traversing, reduce the complexity of signaling, and then saved expense, reduced network delay.
The technical scheme that above embodiment provides is equally applicable to the SPF fire compartment wall, the discovery that can realize the SPF fire compartment wall effectively with pass through.
All or part of content in the technical scheme that above embodiment provides can realize that its software program is stored in the storage medium that can read by software programming, storage medium for example: the hard disk in the computer, CD or floppy disk.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. a Firewall Traversing method is characterized in that, described method comprises:
After the node that has a fire compartment wall is received query messages, the firewall information of this node is recorded in the described query messages, downstream is transmitted described query messages;
After destination node is received the query messages of updrift side transmission, confirm whether there is fire compartment wall on the path according to the firewall information in the described query messages;
Described destination node is according to the Global Information of the fire compartment wall of result on the initiation node return path of described query messages of confirming;
When having fire compartment wall on the path, described destination node or described initiation node are initiated Firewall Traversing.
2. Firewall Traversing method as claimed in claim 1, it is characterized in that, the Global Information of described fire compartment wall comprises the firewall information in the described query messages and initiates the entity information of fire compartment wall that correspondingly, described destination node or described initiation node are initiated Firewall Traversing and be:
Entity information according to described initiation fire compartment wall judges whether that needs carry out Firewall Traversing, if initiate Firewall Traversing according to described firewall information.
3. Firewall Traversing method as claimed in claim 1 or 2 is characterized in that, described firewall information comprises:
The number information of fire compartment wall, the address information of fire compartment wall, the type information of fire compartment wall and the directional information of fire compartment wall.
4. Firewall Traversing method as claimed in claim 1, it is characterized in that described query messages is the Query message in the signaling transport layer protocol of signaling of future generation, carries the firewall information object, correspondingly, described firewall information with this node is recorded in the described query messages and comprises:
The firewall information of this node is recorded in the firewall information object that described Query message carries.
5. Firewall Traversing method as claimed in claim 4 is characterized in that, describedly initiates Firewall Traversing according to described firewall information and comprises;
According to described firewall information, use Firewall Traversing mechanism in the signaling transport layer protocol of described signaling of future generation to transmit signaling application layer protocol signaling and carry out Firewall Traversing.
6. a node device is characterized in that, described equipment comprises:
Sending module is used for downstream and sends query messages, and described query messages carries the firewall information object;
Receiver module is used to receive the fire compartment wall Global Information on the path that destination node returns, and the Global Information of described fire compartment wall comprises the firewall information in the described query messages and initiates the entity information of fire compartment wall;
Processing module, the entity information that is used for the initiation fire compartment wall that receives according to described receiver module judges whether that needs carry out Firewall Traversing, if initiate Firewall Traversing according to described firewall information.
7. node device, described equipment has fire compartment wall, it is characterized in that, and described equipment comprises:
Receiver module is used to receive query messages;
The information logging modle is used for the firewall information of this node is recorded in the query messages that described receiver module receives;
Sending module is used to send the query messages after described information logging modle writes down firewall information.
8. a node device is characterized in that, described equipment comprises:
Receiver module receives the query messages that upstream node sends;
Fire compartment wall is found module, and the firewall information that is used for the query messages that receives according to described receiver module judges whether there is fire compartment wall on the path;
Processing module, be used for finding the Global Information of the fire compartment wall of judged result on the initiation node return path of described query messages of module according to described fire compartment wall, the Global Information of described fire compartment wall comprises the firewall information in the described query messages and initiates the entity information of fire compartment wall, when having fire compartment wall on the path, and when the entity of Firewall Traversing is self, initiate Firewall Traversing.
9. a system is characterized in that, described system comprises:
Initiate node, be used for downstream and send query messages;
Intermediate node is used to receive from party upstream query messages always, when this node has fire compartment wall, the firewall information of this node is recorded in the described query messages, and sends described query messages;
Destination node, be used to receive from party upstream query messages always, judge whether there is fire compartment wall on the path according to the firewall information in the described query messages, the Global Information of the fire compartment wall on described initiation node return path, the Global Information of described fire compartment wall comprises the firewall information in the described query messages and initiates the entity information of fire compartment wall, when having fire compartment wall on the path, initiate Firewall Traversing.
10. a system is characterized in that, described system comprises:
Initiate node, be used for downstream and send query messages; And the Global Information that receives the fire compartment wall on the path of returning from downstream direction, the Global Information of described fire compartment wall comprises firewall information and initiates the entity information of fire compartment wall, judge whether that according to the entity information of initiating fire compartment wall needs carry out Firewall Traversing, if initiate Firewall Traversing according to described firewall information;
Intermediate node is used to receive from party upstream query messages always, when this node has fire compartment wall, the firewall information of this node is recorded in the described query messages, and sends described query messages;
Destination node is used to receive from party upstream query messages always, judges whether there is fire compartment wall on the path according to the firewall information in the described query messages, the Global Information of the fire compartment wall on described initiation node return path.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100850443A CN101534289B (en) | 2008-03-14 | 2008-03-14 | Method, node device and system for traversing firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100850443A CN101534289B (en) | 2008-03-14 | 2008-03-14 | Method, node device and system for traversing firewall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101534289A true CN101534289A (en) | 2009-09-16 |
| CN101534289B CN101534289B (en) | 2012-05-23 |
Family
ID=41104677
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100850443A Active CN101534289B (en) | 2008-03-14 | 2008-03-14 | Method, node device and system for traversing firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101534289B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101848235A (en) * | 2010-04-16 | 2010-09-29 | 北京航空航天大学 | Real-time multimedia data P2P transmission scheme for supporting NAT traversal |
| CN101873324A (en) * | 2010-06-22 | 2010-10-27 | 北京神州泰岳软件股份有限公司 | Method for passing through firewall |
| CN103634305A (en) * | 2013-11-15 | 2014-03-12 | 北京奇虎科技有限公司 | Website firewall recognition method and equipment |
| CN113992369A (en) * | 2021-10-18 | 2022-01-28 | 北京天融信网络安全技术有限公司 | Network security device topology management method and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1200340C (en) * | 2002-04-26 | 2005-05-04 | 联想(北京)有限公司 | Network method of safety management of firewall equipment |
| CN100414929C (en) * | 2005-03-15 | 2008-08-27 | 华为技术有限公司 | Text transmission method in protocal network of mobile internet |
-
2008
- 2008-03-14 CN CN2008100850443A patent/CN101534289B/en active Active
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101848235A (en) * | 2010-04-16 | 2010-09-29 | 北京航空航天大学 | Real-time multimedia data P2P transmission scheme for supporting NAT traversal |
| CN101848235B (en) * | 2010-04-16 | 2012-10-17 | 北京航空航天大学 | Real-time multimedia data P2P transmission scheme for supporting NAT traversal |
| CN101873324A (en) * | 2010-06-22 | 2010-10-27 | 北京神州泰岳软件股份有限公司 | Method for passing through firewall |
| CN101873324B (en) * | 2010-06-22 | 2013-11-06 | 北京神州泰岳软件股份有限公司 | Method for passing through firewall |
| CN103634305A (en) * | 2013-11-15 | 2014-03-12 | 北京奇虎科技有限公司 | Website firewall recognition method and equipment |
| CN113992369A (en) * | 2021-10-18 | 2022-01-28 | 北京天融信网络安全技术有限公司 | Network security device topology management method and system |
| CN113992369B (en) * | 2021-10-18 | 2023-07-18 | 北京天融信网络安全技术有限公司 | Topology management method and system for network security equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101534289B (en) | 2012-05-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9271315B2 (en) | Data transmission method, system and related network device based on proxy mobile (PM) IPV6 | |
| JP4981164B2 (en) | Communication system and communication node | |
| EP1139632B1 (en) | Method for packet communication with mobile node | |
| JP4896038B2 (en) | Communication method, mobile communication node and access router in network system | |
| KR100689500B1 (en) | System and method for route optimization using piggybacking in mobile network | |
| US8279807B2 (en) | Communication control method, network node, and mobile terminal | |
| US7424295B2 (en) | Handover control apparatus, base station, edge router, relay router, radio terminal unit, mobile communication system, and handover control method | |
| US20100189103A1 (en) | Header Size Reduction of Data Packets | |
| EP1956755A1 (en) | Network controlled overhead reduction of data packets by route optimization procedure | |
| CN101507308A (en) | GGSN proxy for one tunnel solution | |
| CN101448252A (en) | Network switching implementation method, system thereof and mobile nodes | |
| KR20050101693A (en) | Method for recovery routing path with damage in a mobile network | |
| JPWO2009057296A1 (en) | Mobile terminal, network node, and packet forwarding management node | |
| KR101176391B1 (en) | Method for performing route optimization between two nodes in network based mobility management | |
| CN101534289B (en) | Method, node device and system for traversing firewall | |
| US20100046558A1 (en) | Header reduction of data packets by route optimization procedure | |
| JP2010502036A (en) | Method and apparatus for verifying addresses when registering multiple addresses | |
| JP2006005607A (en) | Network system and mobile router | |
| EP2020783A1 (en) | Mobile communication control system | |
| CN101123575B (en) | A multi-host access method, system and device supporting mixed IP | |
| US8195807B2 (en) | System and method for providing a distributed virtual mobility agent | |
| JP2007533279A (en) | Routing method and system for IP mobile network, corresponding network and computer program product | |
| US20110110306A1 (en) | Network system, mobile gateway, location management server, and communication control method of mobile node | |
| WO2008145035A1 (en) | Mobility management entity, communication system and mobile ip route updating method | |
| WO2008032373A1 (en) | Access gateway apparatus, base station apparatus, communication control system and communication control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |